Most Breaches Have Potential to Cause Significant Harm, Report Finds

Most privacy breaches in Alberta represent a real risk of significant harm (RROSH) to affected individuals, according to a report from the province’s Office of the Information and Privacy Commissioner (OIPC).

On July 27, the OIPC released a report analyzing close to 2,000 breaches that took place from 2010 to 2021. The majority of those breaches (68%) posed a real risk of significant harm. In this blog, we’ll offer an overview of what constitutes an RROSH breach and outline the leading causes of breaches.

The RROSH threshold helps organizations determine when notifications to impacted individuals and others are required in response to a privacy breach. This threshold is also applied federally under the Personal Information Protection and Electronic Documents Act, which means that this report provides helpful guidance to organizations across Canada.

What Creates a Real Risk of Harm?

According to the OIPC, several factors can contribute to an RROSH determination, including:

  • Breaches that resulted from deliberate action or malicious intent
  • Breaches from which personal information was not recovered, returned or destroyed
  • The length of time personal information was exposed
  • The inability to determine whether personal information was accessed
  • Breaches that involved unencrypted personal information

Conversely, factors that make it less likely a breach will result in significant harm include:

  • Accidental or inadvertent breaches
  • Breaches from which personal information has been recovered, destroyed or not used
  • Breaches involving encrypted information
  • Breaches that are reported to an organization by the unintended recipients of personal information
  • Breaches involving an unintended recipient that is a known or trusted party
  • Breaches involving personal information that cannot be used to cause significant harm

The OIPC reported that 71% of RROSH breaches were caused by deliberate action or malicious intent, including ransomware attacks, hacks, theft and deliberate action by rogue employees. Meanwhile, 86% of cases that did not pose a significant risk of harm resulted from accidental or inadvertent breaches.

Just over half (53%) of RROSH breaches involved unauthorized access to personal information, while 23% involved the loss of personal information and 24% involved unauthorized disclosure of personal information, according to the OIPC.

Leading Causes of Breaches

The OIPC found that 37% of the RROSH breaches reported from 2010 – 2021 involved compromised electronic information systems. These breaches include malware and ransomware attacks, exploiting system vulnerabilities and forced intrusions (i.e. hacks).

Theft (15%) was the second leading cause of RROSH breaches. These breaches include stolen physical documents, mobile devices and portable storage media containing personal information.

Transmission errors also accounted for 15% of RROSH breaches. These breaches include misdirected emails, letters and faxes containing personal information.

Social engineering and phishing attacks accounted for 12% of RROSH breaches – although these attacks have been the second-leading cause of RROSH breaches in recent years. Both phishing and social engineering attacks involve malicious actors posing as trustworthy organizations or individuals in an effort to obtain personal information. The OIPC noted that these attacks are likely underreported since they are often identified as compromised electronic information systems.

The fifth most common cause of RROSH breaches was a failure to secure personal information. These types of breaches may involve misconfigured websites or networks that leave personal information exposed online, as well as the loss of hard copy documents and unencrypted storage devices.

Are You Prepared to Respond to a Breach?

Organizations in many jurisdictions are required to report certain breaches to the relevant Privacy Commissioner and notify affected individuals and others. Next week, we’ll outline the key considerations for determining whether your organization is required to report a breach.

The MLT Aikins Privacy, Data Protection & Cybersecurity team has extensive experience helping clients develop effective strategies to prevent and respond to privacy breaches. Download our cybersecurity checklist to assess your organization’s current cybersecurity strategy.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.